CIA — But Not Your Typical Security Triad Or the Security Agency
This article will be technical and vocational, reflecting what I have learned, seen, and experienced since I got into cybersecurity. I got into cybersecurity last year around May when BITS sent us home due to the COVID-19 pandemic, and honestly, this move is the reason I am today. Enough of the backstory. Let’s get into the main story. At the start, all I knew about cybersecurity was hacking and hacking. It took me one proper course and went through many blogs, articles, and even some tweets to learn that cybersecurity isn’t simply hacking and it is much more complex than it and much more diverse with a lot of roles that play a vital role.
Initially, I was into the so ‘cool’ Ethical Hacking and Bugbounty as there was clearly much more money and opportunities out there. There is a saying (not a true say perse xD) in Hindi “Banne gaya cool, bangaya fool.” in English, “Went to become cool but became a fool.” I was literally in that pursuit of becoming cool by being a leet hacker xD. Found the hard way that I am not suitable for pentesting or red team role in general. And thanks to many online resources, blogs, and infosec tweets, I realized that cybersecurity doesn't complete with mere ethical hacking or pentesting. It is much more than that, be it the blue team roles, GRC roles, or the IT management team, as they have their vital role in keeping the business or the chain of operations running.
C.I.A is a well-known abbreviation for almost every single Information Security Professional, also known as the security triad. It was created in the ’90s to work as a guide to information security in an organization. C.I.A stands for Confidentiality, Integrity, and Availability. Where,
- Confidentiality deals with only the right user/group who has access to what they were assigned.
- Integrity deals with both the system or the file are accurate and haven’t been manipulated or changed by other than the owner.
- Availability deals with the availability of the system or its resources when needed.
This security triad was the initial framework for information security. This was a great framework for professionals to work with for their period, and with advancements of computers and computational systems came advancements to its threats and complexity. This framework became less useful as threats with complexity have messed with what the CIA defines as security posture. For example, previously, ransomware was used to lock an individual from their system, which was an infringement of Availability. Modern ransomware doesn't lock an individual out, but they encrypt the user's files, but the user still had access to his system and is left in a usable state. So, you decide if this would constitute an infringement or not. But we are far from that era. Now we have plentiful frameworks, recommendations, guidelines, and standards to help an organization in improving its security posture.
From what I learned, observed, and experienced…
While exploring different cybersecurity roles, I have found my love specifically towards blue team roles and Threat Intelligence roles. And with my recent interview for the malware analyst role served as an eye-opener for me that I am not even close to being a beginner to call myself a malware analyst. From then on, I did analyze myself and what I have learned. After that self-evaluation, I realized that whatever I have learned or taught myself was from free resources that I have found online, and I need to start over from the basics. In this process, I was stuck at one question “What truly drives an individual or an organization towards security?”. Is it really the need to maintain compliance or keep the business/chain of operations running? Or is there something else that I am missing?. This question has given me many ideas, answers and in this process came the thought of the other C.I.A, not the security triad, but much more than that. I believe this new C.I.A deals with modern cybersecurity and the term security in general.
C.I.A — Control, Information, and Affordability.
Control; This struck into my mind when I was thinking of the true reason why does one security? Then I realized security isn’t a luxury nor a fancy word; it has been part of us from the beginning. From what I have seen, I understood security doesn't always be an attack or defense; for me, it is the control one has over his surrounding or his enterprise, devices, and employees for an organization. Have control over our systems, data, resources, and assets ultimately lead to security and cybersecurity. This lead to the making of many tools, frameworks, methodologies, and many more. Ultimately, an organization doesn't boast about the number of tools they have or the number of compliances they have met; all it does matter is how much control does an organization has over its assets, even in the worst scenario. Be it the case of ransomware where how much control the organization has to revert its operational flow to normal or in case of DDoS where the control you have on your systems to make your resources available to the organization or your customers. In the cybersecurity context, we can consider the Control segment for physical assets.
Information has always played an important role as control, be it adversarial information or the digital assets or the intellects/patents of the organization or the fact that how this information flows in the organization. Suppose ransomware has evolved from simply locking users out of their systems to encrypting, exfiltrating followed by DDoS on victim servers to make sure they pay the Ransome. Now an organization doesn't want to be preyed upon by these organizations or much more sophisticated APT’s who might not disturb your operation flow but want to spy or steal your patents or work to replicate which could be either be used for bad things or which could lead to the downfall of your org. Wouldn’t it be amazing for an organization to know beforehand what kind of attack vectors they might be dealing with? or if any intrusions did occur? This Information would likely deal with the data or information that could control your digital assets, or knowing if you have been compromised and what data has been stolen of you plays a crucial role in determining your security aspect.
Affordability, as the name suggests, deals with the financial aspect and the impact aspect. This character isn’t really really technical; it is more of questioning and self-evaluating. Can we afford to face a cyberattack? Can we afford to have our assets stolen?. This character lets an enterprise know if this security solution is really worth it if it were to face an attack that this solution can prevent. If data is stolen, can we face the consequences following the incident after being made public? So, this character is both technical and vocational. After all, it is the money that runs an organization.
This entire writing doesn't really say anything technical or doesn't serve as a framework. It deals with what really drives an organization for the need for security.
This writing is my documented version of what I have seen, learned, and experienced for the past year. I am always up for discussions and corrections. So, please do review it and let me know how it was.
PS: I am always up for correction, and please do give some suggestions that I can work on.
Stay safe and stay curious!!! Till next time ❤
Thank you ❤